Actually, we have seen similar issues in our mixed mode domain. Sometimes, it seems that there is a sync problem between pdc and bdc's. Other times, we have no clue why it is occuring to an individual over and over again. We have even gone so far as to delete and recreate accounts in AD for users experiencing repeated lock-outs. The only common thread seems to have been their accessing exchange through outlook. Users could log in after their account was unlocked, but later in the day they would be locked out again. Passwords were not being cached at all, and it was almost always a Win2kPro box that the user was logging on through. I am uncertain as to the exact cause(s), but recreating the user object has resolved the issues for users experiencing this.
-----Original Message----- From: Fugleberg, David A [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 9:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account Lockouts in mixed mode We have a mixed mode AD (Single forest/single tree/single domain), with about 20 DCs and 35 BDCs. Accounts are administered centrally by a very small group, and they typically connect to the DC that holds the PDC FSMO to do all administrative tasks. Our account lockout policy locks accounts after three bad attempts. Over the past several months, we've seen a couple strange issues with account lockouts: 1. Once in awhile, a user will be locked out again and again for no apparent reason. For example, they arrive at work, attempt to login, and are locked out. The admins unlock the account and the user logs in, but if you check the account later it is locked out again. If the user then logs out, they are unable to login because of the lock. We've seen this happen to a given user several times over a few days, then mysteriously disappear. Some users have a great deal of trouble with this; most never see it. 2. When an account is locked out, the admin will typically unlock it by going to the account tab on the user's object in Active Directory Users and Computers. In some cases, however, even after doing so the user is unable to logon. Since these folks are old-time NT admins, they will then often open User Manager for Domains and try unlocking the account from there. Strangely, they sometimes need to perform the unlock from BOTH tools before the user is able to logon. At first, I thought this was just a timing issue, or that they were looking at the account info on different servers, but I have seen with my own eyes cases where ADU&C connected to the PDC emulator shows one lockout status, and User Manager for Domains shows another. I'm trying to get the admins away from User Manager for Domains altogether, but they don't trust 'Users and Computers' in this case. I've tried to explain that the "Nt Domain" and the "Active Directory Domain" are the SAME THING, but they're not buying it when they see a different view in the two tools. My questions: 1. Is anybody else havong similar lockout problems ? The Q articles on the subject don't seem to apply to this scenario. 2. When an admin uses User Manager for Domains, it obviously can make changes only at the (emulated) PDC. Does this mean that the lockout status it displays is the one stored on that server, or is it possible that it's displaying status read from a BDC ? 3. Has anyone else seen a case where they had to unlock an account using both tools before the user could login ? 4. Is there any other reason why attributes that are displayable in User Manager for Domains should NOT be IDENTICAL to the same attributes as displayed in Active Directory Users and Computers ? In other words, does the PDC emulator store this data in a separate SAM that can somehow be temporarily out of sync with the AD, or is the PDC emulator a real-time conduit into the AD store ? Thanks for any ideas... Dave Fugleberg List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info: http://www.activedir.org/mail_list.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/